Providing multi-token based protection against cross site request forgery

View/Open

Date

Format

Metadata

Abstract

[ACCESS RESTRICTED TO THE UNIVERSITY OF MISSOURI AT AUTHOR'S REQUEST.] Cross Site Request Forgery (CSRF) attacks occur when a malicious website forces a user's web browser to perform unwanted actions on a trusted website. Analysis of CSRF mitigation techniques show that client side defenses degrade usability and cannot be effectively used for different web applications. Whereas server side mitigation techniques such as checking Referer header is unreliable. Using validation tokens may provide effective defense against CSRF but they can be stolen using Cross Site Scripting (XSS) attacks. Moreover, rigid implementations of validation tokens hamper navigation and degrade usability. To address the limitations of current validation token based defenses, this thesis presents Multi-Token based CSRF protection which secures validation tokens from XSS attacks through a policy engine named XSS Probability Detector and provides customizable and multi-layered CSRF protection through a server side filter called Multi-Token CSRF Protector. XSS Probability Detector inspects incoming data for possible XSS attacks and encodes the detected XSS scripts to protect validation tokens from being stolen. Multi-Token CSRF Protector offers two validation token designs - User_Identifier token and one-time, form-specific antiCSRFToken which can be implemented individually or in-group depending on the sensitivity of web pages in the website.